A "subprocessor" is any third party we rely on to deliver the growyour.music service. Where a subprocessor processes personal data on our behalf we have signed their Data Processing Addendum (or accepted their standard terms), and international transfers are covered by the UK International Data Transfer Addendum and the EU Standard Contractual Clauses as indicated below.
This list is kept in lockstep with our internal vendor register. If you spot something missing or stale, email privacy@growyour.music and we will correct it.
| Subprocessor | Purpose | Data types | Region | Transfer mechanism |
|---|---|---|---|---|
| Supabase (Supabase, Inc.) | Primary database, authentication storage, object storage for audio + user exports. | Account data, uploaded audio, transaction records, consent events, all relational data. | EU (Frankfurt) | Intra-EEA — no international transfer |
| Netlify (Netlify, Inc.) | Web hosting, scheduled functions, CDN. | Request metadata (IP, user-agent), access logs. | Global edge (US HQ) | SCCs + UK IDTA (Netlify DPA) |
| Stripe (Stripe Payments Europe, Ltd.) | Payment processing, Stripe Connect for curator payouts, subscription billing. | Name, email, billing/postal address, card details (tokenized — we do not see card numbers), transaction history. | EEA (Ireland) for EU customers; US for others | SCCs + UK IDTA (Stripe DPA) |
| Resend (Resend, Inc.) | Transactional + marketing email delivery. | Email addresses, names, email content, delivery + bounce events. | US | SCCs + UK IDTA |
| PostHog (PostHog Inc.) | Product analytics, feature flags, session replay (sampled). | Anonymous visitor ID, authenticated user ID, page + feature events, device metadata. | EU (Frankfurt) — our instance is on the EU cloud. | Intra-EEA |
| Meta Platforms, Inc. | Meta Marketing API for Instagram / Facebook ad campaigns (Ad Studio) and Meta Pixel conversion tracking when the visitor has consented. | Pixel events, conversion events, hashed email for custom audiences (only when user consents to marketing). | US | SCCs + UK IDTA |
| TikTok / ByteDance | TikTok Ads API and TikTok Pixel when the visitor has consented. | Pixel events, conversion events. | US / Ireland | SCCs + UK IDTA |
| Google LLC (Google Ads + YouTube Ads + Analytics) | Google / YouTube ad campaigns and Google Analytics 4 when the visitor has consented to analytics or marketing cookies. | Analytics events, ad conversion events, pseudonymous visitor IDs. | US / EU | SCCs + UK IDTA (Google Ads DPT) |
| Reddit, Inc. | Reddit Ads API and conversion tracking when the visitor has consented. | Ad conversion events, pseudonymous Reddit UID. | US | SCCs + UK IDTA |
| Spotify AB | Spotify OAuth for Presave campaigns; Spotify metadata fetch for Smart Paste. | Spotify user ID, access/refresh tokens, public profile (when user authorises). | EEA (Sweden) | Intra-EEA |
| SoundCloud Limited | SoundCloud OAuth for download-gate verification and oEmbed player. | SoundCloud user ID, access/refresh tokens, public profile. | EEA (Germany) / US | SCCs + UK IDTA |
| Exa (Metaphor Systems, Inc.) | Web search / link discovery for artist profile enrichment. | Search queries we send (artist name, label name). No end-user PII sent. | US | SCCs + UK IDTA |
| Groq, Inc. | Primary LLM inference for AI text generation (feedback assistance, content drafting). | Prompt text (may contain user-provided free-text content). | US | SCCs + UK IDTA |
| Google Gemini API | Fallback LLM inference when Groq is unavailable. | Prompt text (may contain user-provided free-text content). | US / EU | SCCs + UK IDTA |
| Apify | Managed scraping runtime for Spotify metadata enrichment (public data only). | Public Spotify metadata. No personal data. | EEA (Czech Republic) | Intra-EEA |
| AcoustID / MusicBrainz (MetaBrainz Foundation) | Copyright + duplicate detection lookup against the public MusicBrainz database. | Audio fingerprint hash (not personal data — see Cookies page). | US non-profit (mirrored globally) | Publicly available database; anonymous API call |
| Cloudflare, Inc. | CDN, DDoS protection, DNS. | Request metadata (IP, user-agent), edge access logs. | Global edge | SCCs + UK IDTA |
| Freshdesk (Freshworks, Inc.) | Customer support ticketing (planned — enabled once paid-plan tier). | Email address, support message content. | EU (Frankfurt) | Intra-EEA |
| Sentry (Functional Software, Inc.) | Error tracking for server + client runtime exceptions. | Error messages, stack traces, deployment metadata. No deliberate PII; incidental user IDs possible. | US | SCCs + UK IDTA |
Change notifications
We will update this page whenever we add, replace, or remove a subprocessor that touches personal data. The "Last updated" date at the top of the page reflects the most recent change.